The underground marketplace intelligence landscape is vast and complex. Monitoring dark web forums and marketplaces for brand mentions and threats is essential to proactively defend against attacks and data leaks. When suspicious data appears, knowing how to respond quickly is key to protecting your brand, employees, and customers.
In this blog, we discuss the types of intelligence present on dark web spaces, and Fortra’s recommendations for data prioritization and subsequent application. These recommendations empower security teams to more effectively detect and defend against attacks emerging from the dark web.
Types of Dark Web Intelligence
Full credit card credential intelligence
It's common to find leaked credit card information with full card numbers and associated data on the dark web. Compromised data of this nature can lead to swift monetary loss and long-term brand damage for organizations. Leaked credit card credentials should be a priority for security teams.
Credit card information available for capture may include:
- The expiration date on the card
- CVV number
- Other personally identifiable identification (PII) associated with the cardholder
Listings on the dark web that include full credit card numbers and other PII details should provide enough intelligence to determine who the affected customers are. Post-analysis, Fortra recommends security teams use this information to block affected consumer credit or debit cards and re-issue new cards to members.
Carding marketplace intelligence
Tools that detect and eliminate fake social media accounts, spoofed profiles, and fraudulent mobile apps designed to mislead customers or impersonate executives and employees.
Credit card data
The amount of PII exposed on a credit card data marketplace depends on how much information the vendor chooses to reveal to attract potential buyers. Fortra recommends security teams scrape any partial PII from the marketplace to determine if there is enough information to identify the customer.
Dump data
Carding marketplaces that sell dump data typically provide limited details, with customer PII often absent. To extract meaningful intelligence, security teams should monitor key trends such as targeted BINs, average pricing, and the volume of data for sale. Analyzing these indicators helps determine whether marketplace activity aligns with observed fraud patterns. As with credit card marketplaces, teams should continuously scrape all available data from dump sites and incorporate this intelligence into ongoing investigations.
Account marketplace intelligence
Account-based marketplaces sell content that includes visible PII of compromised individuals. This can vary based on the individual marketplace and the vendor selling the data. Common information security teams should capture, if available, includes:
- Account number
- Mobile phone identification number
- Last four digits on the credit card of the account
- Partial name/address
Vendors on account-based marketplaces often include screenshots as proof of access to compromised accounts. Those with poor operational security may unintentionally expose customer PII in these images. Fortra recommends capturing and cataloging such screenshots alongside the associated account listings to aid in victim identification.
In addition to account credentials, some vendors also offer stolen bank checks. These listings frequently include images of the checks, which may further reveal sensitive customer information.
Third-party leaks intelligence
Email and password combinations from database leaks, third-party breaches, or combo-lists are commonly traded on dark web marketplaces and forums. Upon detection and analysis of this data, Fortra recommends that security teams promptly notify affected employees. Immediate password resets are strongly advised — particularly if the exposed credentials are recent and may still comply with the organization’s current password policies.
The nature of leaks persisting online for months and even years post-incident, combined with actor use of open bullet configuration tools designed to exploit username and password combinations, means affected individuals remain at risk if they continue to use the same login.
Forum-based intelligence
Dark web forums serve as hubs where threat actors collaborate and exchange information on topics such as hacking and fraud. Identifying which forums a threat actor frequents can help security teams better assess the threat landscape and understand the breadth of compromised data linked to that actor. It’s common for the same individual to post identical content across multiple forums.
To detect potential threats targeting your organization, a best practice is to implement keyword alerts across dark web forums. This allows for real-time monitoring of posts that reference your company’s assets and enables rapid response. Keyword-based intelligence can support investigations by uncovering data points such as:
- Threat actor name
- Threat actor contact information
- Links to other sites that the threat actor may operate
- Information from snippets of shared data the forum member may be previewing
Traditional marketplace intelligence
Traditional markets are dark web marketplaces that sell everything from drug paraphernalia to digital goods. These markets typically do not have visible PII due to the nature of how they operate, meaning threat actors will not divulge the details of the sensitive data or guides they intend to profit from. Security teams should focus on details around the threat actor, selling history, and where they advertise their goods/services. Capture the following, if possible, on traditional marketplaces:
- Threat actor name
- Information displayed on listing’s product description
- Shops they are associated with
- Vendor reviews
These insights contribute to evaluating the potential impact of the threat and prioritizing the appropriate response timeframe.
Traditional marketplaces, like forums, often host repeat activity from the same threat actors, who may sell identical content across multiple platforms. By identifying where a threat actor operates and aggregating related intelligence, organizations can gain a clearer picture of the threat landscape and make informed decisions about response urgency and resource allocation.
Infostealer marketplace intelligence
Infostealer marketplaces typically display intelligence that includes the domains compromised with each individual infostealer. Infostealers can cause significant damage to an organization, with a single infection affecting a broad range of applications and systems. Infostealer marketplaces should be prioritized and scraped for relevant information pertaining to your organization.
Fortra recommends that security teams closely analyze URLs linked to their organization, especially those found within Infostealer logs for sale. These URLs can serve as valuable contextual intelligence to help determine whether an internal user has been compromised. It's critical to distinguish between internal and external URLs — threat actor access to internal URLs can be especially damaging, potentially granting exposure to sensitive environments such as project management platforms, collaboration tools, and other internal systems.
Harnessing the Power of Dark Web Insights
Dark web intelligence empowers organizations to detect threats early, assess risks accurately, and respond proactively. By integrating this intelligence into security operations, teams can stay ahead of cybercriminals and reduce the impact of attacks. In today’s evolving threat landscape, continuous monitoring of the dark web is essential for safeguarding assets and maintaining trust.
Learn how Fortra helps organizations gain visibility into dark web threats.